For organizations that manage payment transactions or could impact the security of cardholder data, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is critical.
In 2022, the PCI Security Standards Council (PCI SSC) published PCI DSS 4.0 (now 4.0.1), a major update to the standard that expanded the list of mandatory security controls while adding greater flexibility for businesses that must comply.
In order to support this flexibility, the latest version of PCI DSS introduced the Targeted Risk Analysis (TRA)—a structured approach to evaluating security risks, determining appropriate control parameters, and ensuring organizations maintain compliance in a way that aligns with their unique operational environments.
Here’s everything you need to know about TRAs and when they might be applicable to your organization:
In today’s dynamic threat landscape, a one-size-fits-all approach isn’t sufficient to keep cardholder data secure. Recognizing this, the latest version of PCI DSS adds requirements surrounding what is known as a Targeted Risk Analysis, or TRA, meant to offer context and adaptability for organizations that must comply with the international standard.
A TRA is a formal, documented evaluation of security risks associated with a specific PCI DSS control. Unlike a broad, organization-wide risk assessment, a TRA focuses on a particular requirement where PCI DSS allows businesses some flexibility—such as defining how often a control must be applied or determining the most appropriate method of implementation.
There are two types of TRAs: one for a standard approach, which follows PCI DSS’s prescribed controls and frequencies, and another for a customized approach. While customized approaches are rare and complex, they represent a significant part of the changes and improvements introduced in PCI DSS 4.0.
Many requirements outlined in the latest version of PCI DSS rely on a TRA to ensure that security measures remain effective and proportionate to an organization’s specific risks. For this reason,
the TRA must be in place for all organizations by March 31, meaning it is fully documented and completed by the time of the company’s next assessment.
Organizations should complete a TRA in cases when PCI DSS permits flexibility in implementing or maintaining a control. In practice, this includes cases where businesses are allowed to define the frequency of a control—for instance, how often security training or vulnerability scans must occur. However, it’s important to note that a TRA cannot be used to reduce the frequency of a control below what is already required in PCI DSS.
A TRA must be conducted at least once per year or whenever there are significant changes to the environment that could impact security. The analysis should be well-documented, include justification for the decisions made, and be reviewed by relevant stakeholders, including security teams, compliance executives, and your PCI Qualified Security Assessor (QSA).
Several new requirements in the latest version of PCI DSS mandate a TRA to determine control frequency, implementation details, or response timelines. Some of the most critical areas where a TRA is required include:
Each of these requirements emphasizes a risk-based approach to security, ensuring that organizations tailor their compliance efforts to their unique operational environments.
The introduction of the TRA in PCI DSS represents a shift toward a more flexible, risk-based approach to security. While this provides organizations with greater control over how they implement certain requirements, it also increases the responsibility to document, justify, and validate security decisions.
As of March 31, 2025, all organizations that could impact the security of cardholder data must comply with the future-dated controls included in the latest version of PCI DSS.
Are you required to comply but aren’t sure how to take the next steps? We can help. Contact us today for a free consultation.